American Administration Services Company
Fully Insured Employers May Be Required to Meet the HIPAA Privacy Rule's April 14, 2004 Compliance Deadline
Many employers, upon learning about the HIPAA Privacy Rule's "exemption" for fully-insured group health plans, breathed a sigh of relief. Under this "exemption," a group health plan is relieved from complying with the HIPAA Privacy Rule's most onerous requirements if the plan provides benefits "solely through an insurance contract with a health insurance issuer or HMO," (i.e., is fully insured) and receives only enrollment and disenrollment information and information summarizing claims history at the group level.
This apparent compliance oasis, in fact, is a mirage for many employers. The reason? Most medical flexible spending accounts ("FSA") and most employee assistance program ("EAP") are subject to the HIPAA Privacy Rule, even though these plans typically do not result in the employer's creating or receiving a significant amount of health information about plan participants. Put another way, employers offering a medical FSA or an EAP as a complement to a fully-insured group health plan most likely will be required to comply with the HIPAA Privacy Rule by April 14, 2004, unless they scuttle these subsidiary, but highly popular, benefits plans.
Some Medical FSAs and Some EAPs are Excepted from HIPAA Compliance
The HIPAA Privacy Rule does offer an escape hatch for some fully insured employers who also offer a medical FSA or an EAP.
A medical FSA with fewer than 50 participants that also is self-administered falls outside the HIPAA Privacy Rule. Smaller employers whose medical FSA currently is administered by a third party should, therefore, weigh the cost of HIPAA compliance against the cost of in-house administration. Those with the resources to administer a medical FSA in-house should consider switching to in-house administration before April 14, 2004, as a means of avoiding the cost of HIPAA compliance and the potential liability for violations.
At least two types of EAPs fall outside the HIPAA compliance net. "Referral only" EAPs, i.e., those providing only references to mental health counselors, are not subject to ERISA and, therefore, also are not subject to HIPAA. In addition, some long-term disability carriers offer employee assistance programs as a benefit embedded in a disability income insurance policy. Because disability insurance is not subject to HIPAA, the subsidiary EAP benefit also is not covered. Employers whose EAP does not currently fall within one of these exceptions should weigh the benefit of their current program and the cost of HIPAA compliance against the cost of switching to an EAP not subject to HIPAA and the benefit of avoiding potential liability for violations.
Employers Offering a Medical FSA or an EAP Subject to HIPAA Should Take Six Steps to Comply with the HIPAA Privacy Rule
While the compliance obligations for medical FSAs and EAPs are the same as those for medical, dental and vision plans that are not fully insured, the compliance undertaking is less complex because fewer individuals typically are involved in plan administration, and the amount and type of employee health information available to the employer usually is limited. In the case of a medical FSA, a payroll administrator or benefits coordinator usually receives only monthly or quarterly reports reflecting account usage. EAPs, by contract, generally may not disclose any health information to the employer without the plan participant's written authorization. Given this distinction from self-insured medical, dental and vision plans, an employer should focus on the following steps to meet the April 14, 2004, compliance deadline:
Conclusion: When It Comes to HIPAA Privacy, Few Employers Are Off the Hook
The popularity of medical FSAs and the prevalence of EAPs means that many employers, even those with fully-insured medical, dental, and vision plans, will need to address compliance with the HIPAA Privacy Rule before the April 14, 2004 compliance deadline. For those who fail to do so, there may be a brief grace period while the U.S. Department of Health and Human Services, the administrative agency with enforcement authority, emphasizes voluntary compliance and event-driven enforcement. At some point, however, this forgiving attitude towards enforcement will change, or angered employees will pursue private theories of recovery. Employers who have failed to bring their medial FSA or their FSA into compliance with the HIPAA Privacy Rule may then discover a costly Achilles' heel.